Linux server intrusion detection basis

People are born free, but they are free from shackles. They think that they are all other masters, but they are slaves than everything else.

Recently, I encountered many examples of server intrusion. In order to facilitate future intrusion detection and troubleshooting, I queried some information about the intrusion forensics of Linux server, and summarized it for later reference.
Common signs of server intrusion, including but not limited to: sending large numbers of packets from inside to outside (DDOS broiler), server resources being exhausted (mining program), abnormal port connections (reverse shell, etc.), server logs Maliciously deleted, etc. So since it is intrusion detection, the first thing to judge is whether the server is compromised. It must be ruled out that the administrator is not operating properly. Therefore, the first task of intrusion detection is to ask the administrator server for anomalies. Judging is very important.

After asking about the abnormal information and excluding the administrator’s operation errors, etc., you can start the formal server for intrusion detection and forensic operations.

to add on

April 21, 2017


View the running process named

pidof filename


You can see the process through the file or the tcp udp protocol.

fuser -n tcp port


Can see the file modification time, size and other information

stat filename


Look at the load module



See rpc service open

rpcinfo -p


See if the network card is promiscuous mod

dmesg | grep eth0

Auditing order


This command can be used to view the successful login, shutdown, restart, etc. of our system. The essence is to format the /var/log/wtmp file, so if the file is deleted, the result cannot be output.

Related parameters:
Last -10(-n) View the last 10 records
Last -x reboot View the restarted record
Last -x shutdown View the shutdown record
Last -d view the log in
Last –help command help information
Last -f wtmp Use the last command to view the wtmp file (cannot be viewed directly)


This command is used to view the login failure. The essence is to format the /var/log/btmp file.

Related parameters:
Lastb name(root) View root user login failure record
Lastb -10(-n) View the last 10 login failure records
Lastb –heplp command help information


This command is used to view the user’s last login status. The essence is to format the /var/log/lastlog file.

Related parameters:
Lastlog All users last login record
Lastlog -u username(root) The last login record of the root user
Lastlog –help command help information


This command allows the user to view the current login system. The essence is to format the /var/log/utmp file. Mainly used to view the current user name, as well as the ip address information of the login, w command is the same as who, will be more detailed.


Viewing the history command record, in fact, is to view the contents of the root /.bash_history file, delete this file, the record is gone.

Related parameters:
History View all history
History -10 View the last 10 records
History | grep “wget” View the record of wget related information
History –help command help information

History shows the timestamp:

export HISTTIMEFORMAT="%F %T `whoami` "
history | more

Checking users

Different Linux users have different operation rights, but all users will record in /etc/passwd, /etc/shadow, /etc/group files.

Less /etc/passwd See if there are new users
Grep :0 /etc/passwd Check if there are privileged users (root privileged users)
Ls -l /etc/passwd View the last modification time of passwd
Awk -F: '$3==0 {print $1}' /etc/passwd Check if there are privileged users
Awk -F: 'length($2)==0 {print $1}' /etc/shadow Check if there is a null password user

Note: Linux sets a blank password: passwd -d username

Checking the process

Generally, the invaded server will run some malicious programs, or mining programs, or DDOS programs, etc. If the program is running, you can find some information by viewing the process.

Ordinary process

Ps -aux view process
Top View process
Lsof -p pid View the ports and files opened by the process
Lsof -c process name View associated file
Ps -aux | grep python | cut -d ' ' -f 2 | xargs kill Kill python related processes

If no exceptions are found in the process, you can see if some hidden processes are turned on.

Hide process

ps -ef | awk '{print}' | sort -n | uniq> 1
ls / proc | sort -n | uniq> 2
diff 1 2

Note: The above 3 steps are to check the hidden process.

Checking files

In the hacked website, usually the file is changed. You can check whether the file has been changed by comparing the file creation time, integrity, file path, and so on.

Find / -uid 0 -print Find privileged user files
Find / -size +10000k -print Find files larger than 10000k
Find / -name "..." -prin Find files with username ...
Find / -name core -exec ls -l {} \; find the core file and list the details
Md5sum -b filename View the md5 value of the file
Rpm -qf /bin/ls Check the integrity of the file (and other files in the /bin directory)
Whereis file name view file path
Ls -al filenames view file creation time
Du -sh filename name view file size

Checking the network

The purpose of checking the network is to check whether the hacker does the traffic sniffing by tampering with the NIC type.

Ip link | grep PROMISC Normal NIC should not have promisc, if there is sniffer
lsof -i
Netstat -nap view abnormal port
Arp -a Check if the arp record is normal
Ifconfig -a View NIC settings

Checking the scheduled task

When we try to kill a malicious program, we often encounter problems that are automatically started by the kill program, so we must check the cron.

Crontab -u root -l View the scheduled tasks of the root user
cat /etc/crontab
Ls -l /etc/cron.* See details of whether the cron file changes
ls / var / spool / cron /

Check the system back door

Tools can be used, such as: Conmodo, rkhunter, etc. Of course, you can also manually enter the command to check.

Vim $HOME/.ssh/authorized_keys View ssh permalink file/en
Lsmod check kernel module

Check out the famous wooden door back door program:

Ls /etc/rc.d # After the system is booted, the files in this directory will be started.
ls /etc/rc3.d

Check the back door of the website

If the web application is running on the server, you need to check whether the server is invaded through the web vulnerability. The specific judgment method can be combined with the middleware log and the system log, but the process takes a long time. We can also determine whether the hacker has invaded the server through the web application by checking whether there is a backdoor trojan placed on the server by the intruder.

Method One

  • In the website directory, the files with jsp, php, asp, and aspx files in the file name (note that they are included) are copied and compressed.
  • Scan the packaged directory through the [D Shield] ( tool under Windows to scan whether the Webshell (Web Portal)

Method Two

Directly use the [MaskFindShell] ( tool for webshell scanning (currently only scan jsp and php sites, and php’s false positives are high)
For detailed usage of MaskFindShell, please refer to: [MaskFindShell-Document] (

Looking for the server physical path

Regardless of the method of webshell lookup, the first thing to determine is the path to the web server installation, because webshells are placed under the web path.

Packing files

When we do all the intrusion detection analysis, we need to copy some log files to the local for further detailed analysis, how to package the server related information, and copy to the local?

Packaging web files

The package file name contains the jsp file, and the packaged file is my_txt_files.tar:

tar cvf my_txt_files.tar `find . -type f -name "*.jsp*"`

Packing log files

tar -cvf log.tar / var / log

Packing other information

last > last.log
netstat -an > netstat.log

Transfer files to local

Several ways to transfer files from the server to your local computer.


If the client connected to ssh is xshell, etc., you can install the lrzsz command (putty cannot be used)

apt-get install lrzsz

Upload files to linux, rz; download linux files, sz file names.

Open ftp or http

Open ftp here I did not introduce, many online tutorials, here mainly talk about opening http services.
Generally, linux server has python installed by default, so you can quickly open an http service with python. For details, refer to: [Python-based WebServer] ( E4%BA%8EPython%E7%9A%84WebServer/)

U disk mount

If we are not connected by ssh, but directly connected to the server through the monitor to operate, then you can try U disk transfer.

Fdisk -l View U disk path
Mount /dev/sdb4 /mnt mount U disk
Cd /mnt enter U disk
Umount /mnt Exit U disk

This article summarizes some of the most basic commands for Linux intrusion detection. As for how to use these commands well, it is necessary to combine the actual situation, mainly to see the experience. The above complaints are only the stage of intrusion detection information collection. As for how to analyze the intrusion path through existing information, other tools and knowledge are needed.

Reference link:

本文标题:Linux server intrusion detection basis


发布时间:2017年03月24日 - 11:03

最后更新:2019年08月16日 - 15:08

原始链接: server intrusion detection basis/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat